Provide Federated Access for Your Remote Employees on the Internet

Updated: January 31, 2008

Applies To: Windows Server 2008

This deployment goal builds on the deployment goal that is described in Provide Federated Access for Your Employees on the Corporate Network. It also makes it possible for remote employees to obtain Active Directory Federation Services (AD FS) tokens from the account federation server. After it obtains the tokens, the remote employee's client computer can use the AD FS tokens to gain federated access to AD FS-secured applications that are hosted in another organization and to allow employees to access resources in their own organization.

For example, A. Datum Corporation may want remote employees to have federated access to AD FS-secured applications that are hosted in Trey Research, without requiring A. Datum employees to be on the A. Datum corporate network.

Account federation server proxy: Employees that access the federated application from the Internet can use this AD FS component to perform authentication. By default, this component performs forms authentication, but it can also perform basic authentication. You may also configure this component to perform Secure Sockets Layer (SSL) client authentication if users at your organization have certificates to present. For more information, see Where to Place a Federation Server Proxy.

Remote employee: The remote employee accesses an AD FS-secured Web application through a supported Web browser, using valid credentials from the corporate network, while the employee is offsite using the Internet. The employee's client computer in the remote location communicates directly with the federation server proxy to generate a token and authenticate to the application.

The following illustration shows each of the required components for this AD FS deployment goal.